A new botnet has been discovered by security researchers that has anti-virtual machine capabilities to evade security controls such as a sandbox.
According to a report released by Radware, the malware, dubbed DarkSky, features several evasion mechanisms, a malware downloader and a variety of network- and application-layer DDoS attack vectors. The company said that the bot is now available for sale for less than US$ 20 (£15) over the Darknet.
According to Yuval Shapira a security researcher at Radware, DarkSky is capable of running under Windows XP/7/8/10, both x32 and x64 versions, and has anti-virtual machine capabilities to evade security controls such as a sandbox, thereby allowing it to only infect ‘real’ machines.
The company has been tracking the malware since its early versions in May 2017. Shapira said that developers of the malware have been enhancing its functionality and released the latest version in December 2017. He added that its popularity and use is increasing.
According to Shapira, the bot is suspected of spreading via traditional means of infection such as exploit kits, spear phishing and spam emails.
It can perform DDoS attacks using several vectors, such as DNS Amplification, TCP (SYN) Flood, UDP Flood, and HTTP Flood attacks. The server the malware communicates with also has a “Check Host Availability” function to check if the DDoS attack succeeded.
DarkSky can download malicious files from a remote server and executing the downloaded files on the infected machine.
“After looking at the downloaded files from several different botnets, Radware noticed cryptocurrency-related activity where some of the files are simple Monero cryptocurrency miners and others are the latest version of the “1ms0rry” malware associated with downloading miners and cryptocurrencies,” said Shapira.
The malware can turn the infected machine to a SOCKS/HTTP proxy to route traffic through the infected machine to a remote server.
Shapira said that the malware installs silently with almost no changes on the infected machine. To ensure persistence on the infected machine it will either create a new key under the registry path “RunOnce” or create a new service on the system.
“When the malware executes, it will generate an HTTP GET request to “/activation.php?key=” with a unique User-Agent string “2zAz.” The server will then respond with a “Fake 404 Not Found” message if there are no commands to execute on the infected machine,” he said.
When DarkSky executes it will perform several anti-virtual machine checks looking for instances of VMware, Vbox and Sandboxie. It will also look for the Syser kernel debugger.
Fraser Kyne, EMEA CTO, Bromium, told SC Media UK that malware writers are increasingly proficient at avoiding detection and evading tools like sandboxes.
Caleb Fenton, Threat Team lead at SentinelOne, told SC Media UK that ultimately, no security product can perfectly defend against all attacks.